Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Providing application visibility for micro-segmentation of a network deployment

Active Publication Date: 2018-06-21
NICIRA
View PDF17 Cites 45 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

The patent describes a method for monitoring and analyzing network traffic to identify applications and policies. It involves collecting packet flows, monitoring them for specific applications, analyzing them to identify protocols and flows, and reducing them into smaller groups for further analysis. The method can be used in environments with a set of applications without accessing the network topology, and it uses deep packet inspection to identify unique network traffic. The analysis helps in creating security suggestions and policies for firewalls. The technical effects of the patent are improved network visibility, application protection, and effective firewall rules.

Problems solved by technology

Deploying micro-segmentation with appropriate policies, however, is turning out to be a challenging proposition.
Since most enterprise applications are not documented in terms of the intra-application communications, the security teams are not aware of all components that constitute the application, and more importantly the internal communications that actually happens across the application components.
In addition, the application developers that built an original application may have moved on, making authoritative application behavior determination a challenging task.
Other than this port that needs to be opened, the firewall administrators are not typically aware of all intra-application communications that need to be permitted for the application to work as intended.
As a result, the administrators end up not having sufficient control for the intra-application communications.
Although micro-segmentation as a technology enables firewall administrators to build very granular access control rules for intra-application components, it is often a challenge for the firewall administrators to understand all different communications that need to be enabled between these components to make sure an application actually works as expected.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Providing application visibility for micro-segmentation of a network deployment
  • Providing application visibility for micro-segmentation of a network deployment
  • Providing application visibility for micro-segmentation of a network deployment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0044]In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it should be understood that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.

[0045]Some embodiments provide a method of defining micro-segmentation or security policies using a zero trust model for new and existing applications in a datacenter. In a zero trust model, a network is divided into small (or micro) segments and security is applied at the boundaries of each micro-segment. The method analyzes packet traffic generated by the virtual machines that implement these applications. The method receives a selection of a set of seed nodes (for instance through a user interface) and performs flow collection, flow analysis and security policies definition for the seeds in parallel.

[0046]Some embodiments perform flow mon...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

A method of creating micro-segmentation policies for a network is provided. The method identifies a set of network nodes as seed nodes. The method monitors network packet traffic flows for the seed nodes to collect traffic flow information. The method identifies a set of related nodes for the set of seed nodes based on the collected network flow information. The method analyzes the collected network flow information to identify micro-segmentation policies for the network.

Description

BACKGROUND[0001]Datacenters or cloud environments have traditionally been secured by emphasizing perimeter protection to keep outside threats from affecting the entities within the network. Security services such as firewall were provided at the perimeter to monitor the north-south traffic (i.e., the traffic exchanged with the outside environment) and detect the outside threats.[0002]In a multi-tenant environment, different host machines host virtual machines (VMs) for different users (or tenants). In some cases, several logically separated workloads (or guest) VMs of different tenants operate on a single host. In such shared environments, security services (as well as other services) must be applied within the datacenter, not only against external threats, but also from threats of other machines within the datacenter or other VMs running on the same host. In some such cases, the services are distributed and enforced throughout the network. For example, a distributed firewall provid...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06H04L29/08H04L12/26
CPCH04L63/205H04L63/0263H04L43/14H04L67/10H04L63/0209H04L41/12H04L67/131H04L41/0894H04L41/0893
Inventor BANSAL, KAUSHALSENGUPTA, ANIRBANMANUGURI, SUBRAHMANYAMKRISHNA, SUNITHAPEREIRA, JERRY
Owner NICIRA
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products